2
\$\begingroup\$

This is my account table:

CREATE TABLE mwUser (
  username varchar2(20) primary key not null, 
  salt varchar2(64) unique not null,
  hashedpw varchar2(64) not null, 
  email varchar2(320) unique not null 
);

When I register a new user with my java webservice I automatically generate a random salt and store in the database base (see code below):

Connection c = dataSource.getConnection(); 
Statement stmt = c.createStatement();
boolean isFound=true;
String randomSalt="";
while(isFound){
   isFound=false;
   String randomSalt=createRandomString(); //creates salt/random string
   ResultSet rs = stmt.executeQuery("SELECT * FROM mvUser where salt="+randomString);
   //check if salt is unique
   while (rs.next()) {
     isFound=true;
   }
}

Statement insertStmt = c.createStatement();
String hashedPW=hash(randomSalt+pw); //generates hashed pw
ResultSet rs = stmt.executeQuery("INSERT INTO mvUser VALUES(.....));

stmt.close();
c.close();

But as you can see, from my point of view my code is not clean/performant/readable because I have two statements (for checking if salt is unique and and second statement is for inserting).

How can I automatically generate an unique string(salt) and hash it at the same time. I am trying to make my code more performant and read able.

\$\endgroup\$

1 Answer 1

Reset to default
4
\$\begingroup\$

Please use best practices in general when dealing with password hashing.

  • If you have to verify the database for your generated salt to be unique, you're using a bad salt generator. Make sure to focus on using a good generator instead.
  • Your hash function also seems weak. Consider using key stretching.

This should not be required:

while(isFound){
   isFound=false;
   String randomSalt=createRandomString(); //creates salt/random string
   ResultSet rs = stmt.executeQuery("SELECT * FROM mvUser where salt="+randomString);
   //check if salt is unique
   while (rs.next()) {
     isFound=true;
   }
}

And for hash, I would expect something like below, where hash is an established hash library (PBKDF2, bcrypt, scrypt, ..).

var hashedPW = hash(iterations, randomSalt, pw);
\$\endgroup\$
3
  • 1
    \$\begingroup\$ but even a good salt generator doesnt ensure that the salt is unique? The likelihood that the salt already exsists is just smaller? \$\endgroup\$ Commented Jun 12, 2019 at 10:14
  • \$\begingroup\$ @Lebron11 Exactly, and in combination with a variable number of iterations, even if two users happen to have the same plain text password and salt, they would end up having different hashes. \$\endgroup\$ Commented Jun 12, 2019 at 10:25
  • 1
    \$\begingroup\$ And even if they don't, the chances of that happening are extremely small. So I doubt there's much risk after that. I mean, what attack is going to abuse 2 random users having the same hash if you don't know which 2 users it's about? \$\endgroup\$ Commented Jun 12, 2019 at 12:53

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.